Part of the RECOVER Playbook ← Return to Hub
Phase: Recover All vessels
Satisfies: E26E27IMO MSC-FAL.1BIMCO v5

Offline Backup Verification

This guide defines the offline backup rotation strategy and periodic verification process, ensuring recovery media remains viable and untouched by ransomware that may have compromised online backup systems. Under IACS UR E26 §4.5.2, the vessel must maintain verified offline backup capability for all Category II and III CBS — and must demonstrate to Class that backups have been tested and work.

An offline backup is only truly offline if it requires a human to physically walk to a cabinet and plug it in. In maritime OT security, this air gap is the only absolute guarantee against ransomware that specifically targets backup servers and mapped drives. A backup that is always connected is not a backup — it is a second copy of the infected data.

The three-tier storage protocol

To meet UR E26 §4.5.2, recovery media must be managed in three tiers. The key principle: at any given moment, at least one complete backup must be physically disconnected and locked away — untouchable by any active threat on the network.

Storage type Security status Frequency Purpose Location
NAS / server snapshot ONLINE — at risk Daily automated Fast recovery of recent data — not ransomware-safe if NAS is network-connected Server room — network connected
Removable SSD — weekly rotation OFFLINE — safe Weekly manual clone Primary ransomware-safe recovery — disconnected after each sync ECR safe — locked
Master archive USB/SSD ARCHIVE — safe Updated after each MoC or OEM update Factory-clean Golden Image — last resort if weekly backup is also compromised Master’s safe — highest security

The 7-day rotation schedule

The rotation ensures that at any point of compromise, you have a clean backup from at most 7 days ago that was already physically disconnected before the attack started. This is the minimum rotation frequency for Cat II and III systems.

Mon
Drive A
synced & locked
Tue
Drive A
offline
Wed
Drive A
offline
Thu
Drive B
synced & locked
Fri
Drive B
offline
Sat
Drive B
offline
Sun
Drive A
synced & locked

Two drives rotate on alternating sync days. When Drive A is synced on Monday, Drive B remains locked in the safe from its last sync on Thursday. If the vessel is hit on Wednesday, Drive B — last synced Thursday and disconnected ever since — is clean.

Backup integrity verification — before locking away

Every sync must be verified before the drive is locked in the safe. A backup that was not verified may be corrupt, incomplete, or already infected.

Confirm sync completed without errors — Check the backup software log for any error or warning entries. A backup that terminated early due to a timeout or disk error is not a complete backup.
Verify file count and size — Compare total file count and storage used against last week. A significant drop indicates files are missing — possible indicator of partial encryption before the sync completed.
Spot-check file readability — Open three to five random files on the backup drive to confirm they are readable and not corrupted. This takes two minutes and catches silent encryption not yet detected on the live system.
Verify SHA-256 hash of Golden Image files — If the backup contains the Golden Image, re-verify the hash against the image inventory record. A mismatch means the image was modified after storage — do not use it for recovery.
Disconnect and lock immediately after verification — The drive must be physically disconnected and returned to the safe within the same work session. A verified backup left plugged in overnight is no longer a safe backup.

The restoration drill — quarterly

A backup that has never been tested does not exist as a recovery asset. Perform a restoration drill every quarter — before the annual survey, not after. Class surveyors may ask to see the drill log.

  1. Select a non-essential workstation — Office PC or administrative workstation. Never drill on a Category II or III CBS while the vessel is at sea — use port calls or dry dock periods for higher-tier system drills.
  2. Isolate completely — Disconnect the target workstation from the vessel network before beginning. Confirm it cannot reach any network resource during the drill.
  3. Wipe and restore from offline media — Apply the Golden Image from the offline backup drive using the exact procedure in the SCSRP. The drill must replicate what would happen in a real incident — not a shortcut version.
  4. Verify function — Confirm the OS boots cleanly, all required drivers load, OT application launches, and the system clock syncs correctly to NTP.
  5. Record the result — Log in the Backup Verification Log: date, system used, time to restore, issues encountered, pass or fail. Submit to DPA for SMS filing.

What to do when verification fails

A failed verification is a warning that prevented a crisis — not a crisis itself. Respond immediately.

Hash mismatch
The Golden Image has been modified. Do not use for recovery. Retrieve the shore-side copy. Investigate when and how the image was modified — may indicate a previous undetected compromise.
File count drop
Files missing compared to previous week. Do not use this backup. Check whether the live system also has missing files — if so, encryption may have started before the sync completed.
Restore fails in drill
OS does not boot or application does not launch. Document the failure, identify the cause, rebuild from a clean source, and rerun the drill before the next port call.

Physical chain of custody

Recovery media is a target for physical tampering as well as cyber attack. Class surveyors look for evidence of controlled access and proper labelling.

Labelling — Every drive labelled with: Asset ID · system name · backup date · SHA-256 hash (first 8 characters). Use permanent marker and a printed secondary label — not sticky labels that fall off in humid ECR environments.
Storage location — ECR safe for weekly rotation drives, Master’s safe for archive/Golden Image. Both must be fireproof and waterproof. Keep away from magnetic sources — do not store near large motors, transformers, or generator casings.
Access log — Every time a backup drive is removed from the safe, log: date, time, who removed it, purpose, and when it was returned. This log is the chain of custody evidence Class surveyors request at audit.
Coverage verification — Cross-reference the backup inventory against the CBS Register at each quarterly drill. Every Category II and III system must have a corresponding backup entry. Any gap must be closed before the next survey.

Compliance audit response

“How do you know your backups are not infected?” — “We use a 7-day rotation with two drives alternating. At any point, one drive has been physically disconnected for at least 3 days — longer than our standard incident detection window. We verify file integrity and spot-check readability before locking the drive away after each sync. The last quarterly restoration drill log is in the SMS records.”

This answer demonstrates a functioning backup programme — not just the existence of backup drives. Class surveyors look for evidence of process, not just hardware.

PREVIOUS:
Golden Image Management

Next Section

Recovery Execution & Verification

Recovery Execution & Verification This guide covers the operational execution of CBS recovery within defined RTO and...

Recovery Execution & Verification →
Login
Login
Scroll to Top